Ghidra: Software Reverse Engineering Framework

Last Release: 05/16/2019     Last Commit: 09/13/2019

Ghidra: Software Reverse Engineering Framework

Introduction

Ghidra is a Software Reverse Engineering (SRE) Framework developed by the National Security Agency Research Directorate for NSA’s cybersecurity mission. It was created with aim to help all pentesters and cybersecurity professionals with reverse engineering, analyzing code for malware and viruses, to understand potential vulnerabilities in systems/networks, etc.

NSA officially released Ghidra, as a first public demonstration, in march 2019 at the RSA Conference. It’s now open to public as an open-source release. Feel free to contribute!

Ghidra: SRE [Software Reverse Engineering ] Framework

Ghidra SRE tool was built to provide a customizable and extensible reverse engineering platform which will solve all scaling problems that cybersecurity experts and teams encounter on a daily basis. In addition, NSA hopes that Ghidra is going to improve cybersecurity education trough school, cybersecurity training and similar activities.

Features:

  • Ghidra is completely free and open source available for both experienced cybersecurity professionals and those who just have started.
  • Includes plenty of software analysis tools for compiled code analysis.
  • Cross-platform: Linux (64-bit, CentOS recommended/preferred), OS X 10.8.3+, Windows (7/10).
  • It’s capable of disassembling, assembling, decompilation, graphic/scripting, etc. It has a processor modeling language Sleigh that specifies how machine language instructions are dissembled and transformed into a P-code (tool’s intermediate presentation).
  • Ghidra can be run in both interactive GUI and automated modes. It also supports a number of processor instruction sets and executable formats.
  • It allows you to develop your own plugins and scripts using the exposed API (Java or Python).
  • And so much more.

Requirements:

Software:

Java 11 (JDK): It’s suggested to use OpenJDK distributed from jdk.java.net.

Hardware:

– 4+ GB RAM, 1 GB storage (to install Ghidra binaries), Dual monitors (optional & suggested).

Install

Linux / OS X

  1. Download the zip file.
  2. Extract the .tar.gz file to your desired location:
  3. $ tar -xvf <JDK_dist.tar.gz> 
  4. Open ~/.bashrc with editor of your choice and add the following to the PATH variable:
  5. export PATH=<path of extracted JDK dir>/bin:$PATH 
  6. Save file and restart all open terminals.
Note:  To force Ghidra to launch with a specific version of Java, set the  JAVA_HOME_OVERRIDE  property the support/launch.properties file.

Windows

  1. Extract the zip file (JDK distribution): Right click -> Extract all.
  2. Open environment variables window:
    1. Windows 7 – Start button → Computer → Properties. Windows 10: Start button -> System.
    2. Click Advanced system settings
    3. Click Environment variables
  3. Add the JDK to the PATH:
    1. System variables: highlight PATH and click edit
    2. Add semicolon followed by <path of extracted JDK dir>\bin
    3. Click OK…

Usage

To start Ghidra in GUI mode, run ghidraRun.bat (Windows) or ghidraRun (Linux or macOS). You can also run it in a Headless Batch mode using command line, or in Single Jar Mode. For more information, click on the “documentation” button below.

  • Tutorials/docu can be found in /docs.
  • To access Help on a topic, press F1 or Help on any menu item or dialog.
  • When Ghidra is running, indexed help can be found under Help → Topics

Plugins/Exstensions

  • Eclipse: plugin for a pre-existing Eclipse installation. For more information see:<GhidraInstallDir>/Extensions/Eclipse/GhidraDev/GhidraDev_README.html.
  • Ghidra: Ghidra extensions – contribs. See Ghidra Extension Notes for more information.
  • IDAPro: IDAPro plugins/loaders for transferring items with Ghidra.
Documentation Box
Download Box